diff --git a/modules/post/windows/recon/outbound_ports.rb b/modules/post/windows/recon/outbound_ports.rb index 02e403ce8a..d1c9357b65 100644 --- a/modules/post/windows/recon/outbound_ports.rb +++ b/modules/post/windows/recon/outbound_ports.rb @@ -24,17 +24,17 @@ class Metasploit3 < Msf::Post less noise in the network). }, 'License' => MSF_LICENSE, - 'Author' => [ 'Borja Merino ' ], - 'Platform' => [ 'win' ], - 'SessionTypes' => [ 'meterpreter' ], + 'Author' => 'Borja Merino ', + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], 'References' => [ - [ 'URL', 'http://www.shelliscoming.com/2014/11/getting-outbound-filtering-rules-by.html' ] + ['URL', 'http://www.shelliscoming.com/2014/11/getting-outbound-filtering-rules-by.html'] ] )) register_options( [ - OptAddress.new("ADDRESS" , [ true, 'Destination IP address.']), + OptAddress.new('ADDRESS' , [ true, 'Destination IP address.']), OptInt.new('HOPS', [true, 'Number of hops to get.', 3]), OptInt.new('MIN_TTL', [true, 'Starting TTL value.', 1]), OptString.new('PORTS', [true, 'Ports to test (e.g. 80,443,100-110).','80,443']), @@ -45,18 +45,20 @@ class Metasploit3 < Msf::Post def icmp_setup handler = client.railgun.ws2_32.socket("AF_INET", "SOCK_RAW", "IPPROTO_ICMP") - if handler['GetLastError'] != 0 + if handler['GetLastError'] == 0 + vprint_status("ICMP raw socket created successfully") + else print_error("There was an error setting the ICMP raw socket; GetLastError: #{handler['GetLastError']}") return nil end - vprint_status("ICMP raw socket created successfully") r = client.railgun.ws2_32.bind(handler['return'],"\x02\x00\x00\x00" << Rex::Socket.addr_aton(session.session_host) << "\x00"*8 ,16) - if r['GetLastError'] != 0 + if r['GetLastError'] == 0 + vprint_status("ICMP socket successfully bound to #{session.session_host}") + else print_error("There was an error binding the ICMP socket to #{session.session_host}; GetLastError: #{r['GetLastError']}") return nil end - vprint_status("ICMP socket successfully bound to #{session.session_host}") # int WSAIoctl( # _In_ SOCKET s, @@ -71,32 +73,34 @@ class Metasploit3 < Msf::Post # ); sio_rcvall = 0x98000001 - r = client.railgun.ws2_32.WSAIoctl(handler['return'],sio_rcvall,"\x01",4,nil,0,4,nil,nil) - if r['GetLastError'] != 0 + r = client.railgun.ws2_32.WSAIoctl(handler['return'], sio_rcvall, "\x01", 4, nil, 0 ,4, nil, nil) + if r['GetLastError'] == 0 + return handler['return'] + else print_error("There was an error calling WSAIoctl (ICMP raw socket); GetLastError: #{r['GetLastError']}") return nil end - return handler['return'] end def tcp_setup(ttl) - handler = client.railgun.ws2_32.socket("AF_INET", "SOCK_STREAM", "IPPROTO_TCP") - if handler['GetLastError'] != 0 + handler = client.railgun.ws2_32.socket('AF_INET', 'SOCK_STREAM', 'IPPROTO_TCP') + if handler['GetLastError'] == 0 + vprint_status('TCP socket created successfully') + else print_error("There was an error setting the TCP socket; GetLastError: #{handler['GetLastError']}") return nil end - vprint_status("TCP socket created successfully") # 0x8004667E = FIONBIO # Enable non-blocking mode when *argp (third parameter in ioctlsocket) is set to a nonzero value - cmd = 0x8004667E r = client.railgun.ws2_32.ioctlsocket(handler['return'], cmd, 1) - if r['GetLastError'] != 0 + if r['GetLastError'] == 0 + vprint_status('TCP socket successfully configured in non-blocking mode') + else print_error("There was an error setting the TCP socket in non-blocking mode; GetLastError: #{r['GetLastError']}") return nil end - vprint_status("TCP socket successfully configured in non-blocking mode") # int setsockopt( # _In_ SOCKET s, @@ -105,28 +109,32 @@ class Metasploit3 < Msf::Post # _In_ const char *optval, #_In_ int optlen # ); - ipproto_ip = 0 ip_ttl = 4 r = client.railgun.ws2_32.setsockopt(handler['return'], ipproto_ip, ip_ttl, [ttl].pack('C'), 4) - if r['GetLastError'] != 0 + if r['GetLastError'] == 0 + vprint_status("TTL value successfully set to #{ttl}") + return handler['return'] + else print_error("There was an error setting the TTL value; GetLastError: #{r['GetLastError']}") return nil end - vprint_status("TTL value successfully set to #{ttl}") - return handler['return'] end def connections(remote, dst_port, h_icmp, h_tcp, to) - r = client.railgun.ws2_32.connect(h_tcp, "\x02\x00" << [dst_port].pack("n") << Rex::Socket.addr_aton(remote) << "\x00"*8 , 16) + sock_addr = "\x02\x00" + sock_addr << [dst_port].pack('n') + sock_addr << Rex::Socket.addr_aton(remote) + sock_addr << "\x00" * 8 + r = client.railgun.ws2_32.connect(h_tcp, sock_addr, 16) # A GetLastError == 1035 is expected since the socket is set to non-blocking mode - if r['GetLastError'] != 10035 + unless r['GetLastError'] == 10035 print_error("There was an error creating the connection to the peer #{remote}; GetLastError: #{r['GetLastError']}") return end - from = " " * 16 + from = ' ' * 16 begin ::Timeout.timeout(to) do @@ -137,7 +145,6 @@ class Metasploit3 < Msf::Post rescue ::Timeout::Error return nil end - end def run @@ -163,27 +170,27 @@ class Metasploit3 < Msf::Post ports.each do |dport| pub_ip = false print_status("Testing port #{dport}...") - 0.upto(datastore['HOPS'] - 1) { |i| + 0.upto(datastore['HOPS'] - 1) do |i| i = i + datastore['MIN_TTL'] h_icmp = icmp_setup return if h_icmp.nil? h_tcp = tcp_setup(i) - return if h_tcp .nil? + return if h_tcp.nil? hop = connections(remote, dport, h_icmp, h_tcp, to) - if hop != nil - print_good("#{i} #{hop}") - if !Rex::Socket.is_internal?(hop) - pub_ip = true - break if datastore['STOP'] == true - end - else + if hop.nil? print_error("#{i} *") + else + print_good("#{i} #{hop}") + unless Rex::Socket.is_internal?(hop) + pub_ip = true + break if datastore['STOP'] + end end client.railgun.ws2_32.closesocket(h_tcp) client.railgun.ws2_32.closesocket(h_icmp) - } - print_good("Public IP reached. The TCP port #{dport} is not filtered") if pub_ip == true + end + print_good("Public IP reached. The TCP port #{dport} is not filtered") if pub_ip end end end